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REMARKS 

In view of both the amendments presented above and 
the following discussion, the Applicants submit that none of 
the claims now pending in the application is obvious under 
the provisions of 35 USC § 103. Thus, the Applicants 
believe that all of these claims are now in allowable form. 

If, however, the Examiner believes that there are 
any unresolved issues requiring adverse final action in any 
of the claims now pending in the application, the Examiner 
should telephone Mr. Peter L. Michaelson, Esq. at 
(732) 542-7800 so that appropriate arrangements can be made 
for resolving such issues as expeditiously as possible. 

Interview Summary 

The Applicants' representative conducted a 
telephonic interview with the Examiner commencing at 
approximately 2 PM on April 19, 2006. This interview 
addressed the pending § 103 rejection in this application 
and specifically the Applicants sought clarification from 
the Examiner as to the basis of the rejection and her 
interpretation of the claim 15 as it then stood. The 
Applicants also presented their view of the rejection and 
claim 15. No specific claim amendments were discussed. 

For brevity, the Examiner's views are discussed in 
the next section of this amendment which addresses the 
obviousness rejection of claim 15. 
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The Applicants sincerely thank the Examiner for 
the opportunity to have conducted the interview and for all 
the courtesies she extended to the Applicants' 
representative in connection therewith. 

Specification amendments 

Various amendments have been made to the 
specification to correct minor inadvertent typographical 
errors that remained in the specification. 

Status of claims 

Claim 15 has been amended. No other claims have 
been amended. No claims have been cancelled or added. 

Rejections under 35 USC § 103 

1. Claims 15, 16, 17 and 24 

The Examiner rejected independent claim 15 and 
dependent claims 16, 17 and 24, under the provisions of 35 
USC § 103, as being obvious over the teachings in the 
Moroney et al patent (United States patent 5,054,067 issued 
to P. Moroney et al on October 1, 1991) in view of the 
Kocher et al patent (United States patent 6,327,661 issued 
to P. C. Kocher et al on December 4, 2 001) . In view of the 
amendment now made to claim 15, this rejection is 
respectfully traversed. 

Specifically, the Examiner take the position that 
the Moroney et al patent substantially teaches loading 
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plaintext and an encryption key into a shift register, that 
has both linear and non- linear feedback functions, to 
produce a pseudorandom non-linear sequence. However, the 
Examiner concedes that this patent fails to teach use of 
this method as it would apply to protecting a smart card 
from attack. Given that failing, the Examiner then turns to 
the Kocher et al patent for its teachings of a method to 
clock a microprocessor in a smart card wherein a 
pseudo- random number generator is used to implement 
clock- skipping and thus protect the card from attack. 
Specifically, col. 6, line 65 through col. 7, line 18 of 
that patent, teaches that the clock interval is 
intentionally randomly varied to increase the difficulty of 
detecting cryptographic operations through detection of the 
card's power consumption and/or electromagnetic radiation 
produced by the card. Given these teachings, the Examiner 
concluded that it would have been obvious for one skilled in 
the art to simply incorporate a shift register containing 
both linear and non-linear feedback elements, as taught by 
the Moroney et al patent, into the arrangement taught by the 
Kocher et al patent as a way to generate pseudo-random 
timing patterns that would defeat cryptanalysis to a greater 
extent than that provided through the teachings of the 
Kocher et al patent alone, and, by doing so, arrive at the 
Applicants' present invention. 

As the Examiner will shortly appreciate, her 
conclusion is not correct with respect to claim 15, as it 
currently stands. 

For the sake of brevity, the Applicants will not 
summarize the salient teachings of the Moroney et al and 
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Kocher et al patents, but instead will simply direct the 
Examiner's attention to the Applicants 1 prior amendment 
mailed November 4, 2 006, and particularly the second full 
paragraph on page 12 through the partial full paragraph on 
the top of page 15, for that summarization. 

As set forth in that amendment, the Applicants 
have recognized that by appropriately and independently 
controlling both the linear and non- linear feedback 
functions in their inventive shift -register based apparatus, 
the leakage data can be made sufficiently resistant to 
statistical analysis. While doing so is advantageously 
relatively simple and economical to implement, a significant 
degree of additional protection against cryptanalysis 
results . 

The Applicants have now amended claim 15 to recite 
that the linear and non-linear feedback elements "function 
separately from each other", i.e., are independent of each 
other. 

If, as the Examiner postulates, the teachings of 
the Moroney et al patent, particularly regarding the use of 
linear and non-linear shift register feedback elements, were 
to be incorporated into the arrangement taught by the Kocher 
patent and presumably (given that the Examiner does not 
specify exactly where) into clock skipping module 240, then 
the linear and non-linear feedback elements would function 
together and not independently of each other. Why? 

Examination of the Kocher et al patent, 
specifically FIG. 2 which shows the clock-skipping module as 
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part of the overall clocking circuitry, indicates a single 
clock line 220 applied to the clock skipping module and a 
single clock line 260 applied to both microprocessor 
core 225 and cryptographic accelerator 280. In that regard, 
this patent expressly states in col. 7, line 20 et seq and 
in pertinent part: 



"Referring now to FIG. 2, random number 
generator 200 ... is used to determine which clock 
cycles (or clock state transitions) are to be used by 
microprocessor core 225. ... Clock skipping module 240 
then combines . . . random output 205 with clock 
signal 220 received from external smartcard 
interface 210. Of course, clock signal 220 can also 
originate from another source (for example, if the 
invention is implemented in environments other than 
smart cards) . ... 

Within clock skipping module 240, random 
output 205 is used to select cycles of clock signal 220 
to skip in order to produce clock signal 260. 
Alternatively, random output 2 05 can be used to select 
the closest corresponding cycles of clock signal 220 to 
be used as clock signal 260, or random output 205 can 
even be used as clock signal 260 itself. Still other 
approaches are possible . . . ; the basic point being that 
clock signal 260 be (partially or wholly) decorrelated 
from external clock signal 220 via random output 205. 

Additionally, clock skipping module 240 can 
optionally monitor the clock rate (or either clock 
signal 22 0 or 2 60) to prevent attackers from stopping 
the clock and analyzing the device in a halted state or 
from operating the device too quickly." 

Proceeding with the Examiner's combination, the 
feedback shift register taught by the Moroney et al patent 
would most likely be driven by the single clock on line 260 
produced by clock skipping module 24 0 or by a single clock 
line within the module. What this means is the 
clock-skipping algorithm would simultaneously affect the 
timing of both the linear and non-linear elements, as both 
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would be fed by a common clock signal. Hence, any change in 
the clock signal would impact the operation of both feedback 
elements, not just one of them. 

Why, in this context, is single clock line 260 
rather revealing? Because it indicates to one skilled in 
the art that the same clock, consisting of skipped clock 
pulses, as taught by the Kocher et al patent, in all 
likelihood would control the shift register and, as such, be 
applied to both the linear and non-linear feedback elements. 
This unequivocally means that both the linear and non-linear 
feedback elements would function not independently of each 
other but simultaneously and through that common clock 
signal. Consequently, both feedback elements would be 
active at the same time. There is simply no realistic basis 
for any other view as module 24 0 is expressly described as 
producing a single clock signal, not two independent clock 
signals . 

This approach drastically differs from the present 
invention through which the linear and non- linear feedback 
elements are controlled independently of each other, which 
includes use of, e.g., two different clock signals: one for 
the linear element and another for the non-linear element, 
through which one element can be active while the other is 
not. See, e.g., paragraphs 35 and 3 6 on pages 6-7 of the 
Applicants' substitute specification, filed with their prior 
amendment, which describes the non-linear element as being 
controlled separately from the linear element such that to 
the former element can be deactivated while data is being 
loaded but the latter element remains active. Independently 
controlling these elements injects considerably more 
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complexity into their outputs, hence rendering 
cryptanalysis, based on, e.g., differential power analysis, 
considerably more difficult than if both elements, as would 
seem to be taught by the Kocher et al patent, were 
controlled through a common clock signal. 

No teachings, whether express or implied, exist in 
the Kocher et al patent that would indicate to anyone of 
skill that module 240 in the arrangement in FIG. 2 should be 
modified to produce a second clock signal, independent of 
that appearing on line 260. The Kocher et al patent simply 
does not disclose or suggest the concept of independently 
controlling two separate cryptographic operations separately 
from each other, whether through use of two different clock 
signals or another technique. In fact, any such teachings 
would contradict the rather explicit teachings in this 
figure and in the text quoted above. 

Moreover, no one faced with the teachings of the 
Kocher et al patent would even think to include to 
separately control the linear and non- linear feedback 
functions, such as through use of a second clock signal, as 
doing so would inject added complexity into the arrangement 
and seem, at least from the teachings of that patent, to be 
extraneous . 

As such, the combined teachings of the Kocher et 
al and the Moroney et al patents stop far short of the 
present invention, as now recited in claim 15. 

Independent claim 15, as it presently stands, 
contains suitable recitations directed at the distinguishing 
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features of the present invention. In particular, this 
claim recites as follows, with those recitations shown in a 
bolded typeface: 

"A method for protecting a portable card, provided 
with a cryptographic algorithm for enciphering data 
and/or authenticating the card, against deriving a 
secret key used in the card from statistical analysis 
of information leaking away from the card to an outside 
world in the event of cryptographic operations 
performed by the card, the card being provided with at 
least a shift register having linear and non-linear 
feedback functions for implementing cryptographic 
algorithms, the method comprising the steps of: 

loading data to be processed and a secret key into 
the shift register of the card; and 

controlling the linear and non- linear feedback 
functions separately from each other in such a manner 
that collection of values of recorded leak- information 
signals is resistant to deriving the secret key through 
said statistical analysis of the values." [emphasis 
added] 

Neither the Kocher et al or Moroney et al patents, 
taken singly or in any combination, including that posed by 
the Examiner, contains any disclosure, teachings or 
suggestions, whether express or implicit, of use of a 
shift-register based arrangement for encrypting data which 
includes linear and non-linear feedback elements that 
function separately from each other and are appropriately 
controlled to make detection of a secret key, through 
detection of leak information, increasingly resistant to 
statistical analysis . 



As such, the Applicants submit that claim 15, as 
it now stands, is not rendered obvious by the teachings in 
the applied art, whether combined or not. Consequently, 
claim 15 is patentable under the provisions of 35 USC § 103. 
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Each of claims 16, 17 and 24 directly depends from 
independent claim 15 and recites further distinguishing 
aspects of the present invention. 

Accordingly, the Applicants submit that claim 16, 
17 and 24 are not rendered obvious by the teachings in the 
Moroney et al and Kocher et al patents for the same exact 
reasons set forth above regarding claim 15. As such, the 
Applicants submit that these dependent are patentable under 
the provisions of 35 USC § 103. 

2. Claims 18, 19 and 23 

The Examiner rejected dependent claims 18, 19 and 
23, under the provisions of 35 USC § 103, as being obvious 
over the teachings in the Moroney et al patent in view of 
the Kocher et al patent, as applied to claim 15, and further 
in view of the Shimada patent (United States patent 
6,278,780 issued to M . Shimada on August 21, 2001). This 
rejection is respectfully traversed. 

The Examiner states that the Shimada patent 
discloses a method where, with respect to: (a) claim 18, 
after an internal key has been loaded into a shift register, 
the register clocks on and data bits are loaded; (b) 
claim 19, after the shift register has been clocked on, the 
contents of the shift register is filled with the initial 
key; and (c) claim 23, where internal keys are generated as 
initial keys and utilized for linear feedback shift 
registers, and where the contents of the shift register are 
fixed in that the register is always empty in order for an 
initial key to be loaded. 
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As has been discussed in the Applicants' prior 
amendment mailed November 4, 2005, the Shimada patent 
discloses a method for generating, with sufficiently high 
speed and security, internal keys to be set in feedback shift 
registers of a pseudo-random sequence generator used in a 
stream cipher system for use in generating pseudo-random 
numbers. These numbers, in turn, are combined, through an 
exclusive-OR operation, with a data sequence with the result 
either being recorded on a recording medium or transmitted 
in a communication system. The purpose in using this method 
is to prevent a third-party from tapping the data sequence 
without permission. 

Specifically, the pseudo-random number generator, 
shown in FIG. 6 and described in col. 1, line 65 et seq of 
the Shimada patent -- which appear to be the only teachings 
in this patent particularly pertinent to the present 
invention, contains N linear or non-linear feedback shift 
registers Si, S n , each operating as a sub-generator. An 

internal key from keys Ki, . . . , K n is initially applied to 
each corresponding one of the feedback shift registers. 
Each such register is then shifted by one bit and provides 
its least significant bit, as output, to a combination 
function F. Each such register generates its most 
significant bit from its registered bit sequence and 
according to a certain feedback function. The combination 
function F generates a key-stream bit-by-bit according to a 
certain combination function from outputs of feedback shift 
registers Si to S n . 

The Shimada patent, being directed simply to 
producing a pseudo- random sequence, is also devoid of any 
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teachings relevant to the problem solved by the present 
Applicants; namely, how to protect a smart card from 
external attacks arising from statistical analysis of data 
leakage, let alone through a feedback shift register 
structure that employs independently operating linear and 
non-linear feedback elements. All that the Shimada patent 
teaches is a pseudo-random number generator. 

Merely incorporating such a generator as taught by 
the Shimada patent into a system predicated on the teachings 
of the Moroney et al and Kocher et al patents -- again 
assuming that the teachings of the latter two patents would 
in fact be combined by any one of skill in the art, would 
simply not result in a system that lies any closer to the 
Applicants 1 inventive teachings than would a system 
resulting from just combining the teachings in the Moroney 
et al and Kocher et al patents. Specifically, such a 
generator would simply take the place of the DFAST generator 
disclosed by the Moroney et al patent. 

Hence, new independent claim 15 is not rendered 
obvious over the teachings in these three applied patents, 
whether taken singly or in any combination -- including that 
posed by the Examiner, for the same exact reasons set forth 
above with respect to the Moroney et al and Kocher et al 
patents . 

Each of claims 18, 19 and 23 depends, either 
directly or indirectly, from independent claim 15 and 
recites further distinguishing aspects of the present 
invention. Consequently, the Applicants submit that each of 
these three dependent claims is not rendered obvious by the 
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teachings in these references. Consequently, all three of 
these claims are patentable over these applied references 
for the same reasons set forth above with respect to 
claim 15. 

3. Claims 20, 21 and 22 

The Examiner rejected dependent claims 2 0-22, 
under the provisions of 35 USC § 103, as being obvious over 
the teachings in the Moroney et al patent in view of the 
Kocher et al patent, as applied to claim 15, and further in 
view of the Rose patent (United States patent 6,510,228 
issued to G. G. Rose on January 21, 2003) . This rejection 
is also respectfully traversed. 

The Examiner states that the Rose patent discloses 
a method where, with respect to: (a) claim 21, during a 
clocking interval, an output is not generated and hence no 
new data is loaded into a shift register during or prior to 
that clocking; and (b) claims 20 and 22, since the input 
data is not being loaded into the shift register, the data 
is not connected to that register during that interval. 

Specifically and also as discussed in the 
Applicants' prior amendment mailed November 4, 2 005, the 
Rose patent discloses a method and apparatus for generating 
encryption stream ciphers, and in particular an encryption 
bit stream for use therein. Here, the bit stream is 
generated through use of a recurrence relation designed to 
operate over finite fields larger than a Galois Field of 
order 2 . 
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A linear feedback register, which can be realized 
using a circular buffer or sliding window, implements the 
recurrence relation. See, e.g., col. 2, line 26 et seq of 
this patent. As noted in col. 3, line 1 et seq, linearity 
is removed from the output of the shift register through use 
of one or a combination of various processes: irregular 
stuttering (also referred to as decimation) , a non-linear 
function, multiple shift registers coupled with combining 
the outputs of the registers, a variable feedback 
polynomial on one register, and other non-linear processes. 
Further and as indicated in col. 3, line 10 et seq, a 
non- linear output can be derived by performing a non- linear 
operation on selected elements of the shift register. 

For example, in the exemplary embodiment shown in 
FIG. 4 and as discussed in col. 10, lines 54 et seq of the 
Rose patent, stuttering and a non-linear function are used 
to remove the linearity of 16-byte shift register 52 from 
its output. The non-linear function is multiplication (62) 
of sums formed by modulo 256 adders 60a and 60b to which 
the values of four specific bytes in the register (S n and 
S n+5 ; and S n+2 and S n+ i2/ respectively) are collectively 
applied. Since the non- linear output derived from the 
state of the linear feedback shift register may (still) be 
used to reconstruct the state of the shift register, 
stuttering is introduced to render this reconstruction more 
difficult. Stuttering is performed by not representing 
some of the states at the output of the generator, and 
choosing which do so appear but in an unpredictable manner. 
To implement this, the non-linear output determines what 
subsequent bytes of the non- linear output appear in the 
output encryption bit stream. This is accomplished by 
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switch 68, buffer 70, multiplexer 64 and exclusive OR 
gate 66. See, col. 11, line 60 through col. 12, line 63. 

The Rose patent, being directed to a encryption 
bit stream generator for use in a stream cipher, is also 
devoid , just like the Shimada patent is, of any teachings 
relevant to the problem solved by the present Applicants; 
namely, how to protect a smart card from external attacks 
arising from statistical analysis of data leakage, let alone 
through use of a feedback shift register structure that 
employs independently operating linear and non-linear 
feedback elements. 

Merely incorporating an encryption bit stream 
generator as taught by the Rose patent into a system 
predicated on the teachings of the Moroney et al and Kocher 
et al patents here too assuming that the teachings of the 
latter two patents would in fact be combined by any one of 
skill in the art, would simply not result in a system that 
lies any closer to the Applicants' inventive teachings than 
would a system resulting from just combining the teachings 
in the Moroney et al and Kocher et al patents. 
Specifically, such a bit stream generator, though suitably 
modified for use in a block cipher, could simply be another 
way to generate a keystream and thus could be substituted 
for the DFAST generator disclosed by the Moroney et al 
patent . 

Hence, new independent claim 15 is not rendered 
obvious over the teachings in these three applied patents, 
whether taken singly or in any combination -- including that 
posed by the Examiner, for the same exact reasons set forth 
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above with respect to the Moroney et al and Kocher et al 
patents . 

Each of claims 20-22 depends, either directly or 
indirectly, from independent claim 15 and recites further 
distinguishing aspects of the present invention. 
Consequently, the Applicants submit that each of these two 
dependent claims is not rendered obvious by the teachings in 
these references. Hence, each of these three claims is 
patentable over the Moroney et al, Kocher et al and Rose 
patents for the same reasons set forth above with respect to 
claim 15. 

Conclusion 

Consequently, • the Applicants submit that none of 
the claims, presently in the application, is obvious under 
the provisions of 35 USC § 103. Thus, the Applicants 
believe that all their present claims are in condition for 
allowance. Accordingly, both reconsideration of this 
application and its swift passage to issue are earnestly 
solicited. 



Respectfully submitted, 
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